It copies itself to the following locations: • %SYSDIR%\qepdjla.dll • %drive%\RECYCLER\%CLSID%\jwgkvsq.vmx

It deletes the initially executed copy of itself.

The following file is created:

– %drive%\autorun.inf This is a non malicious text file with the following content: • %code that runs malware%

It tries to execute the following file:

– Filename: • explorer C:

Registry

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\%random character string%] • "Description"="Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start." • "DisplayName"="Update Driver" • "ErrorControl"=dword:0x00000000 • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs" • "ObjectName"="LocalSystem" • "Start"=dword:0x00000002 • "Type"=dword:0x00000020

It creates the following entry in order to bypass the Windows XP firewall: